Never mind what you actually text or say on the phone -- now even the way you tap, hold and move it can be tracked.
A U.S. research team revealed your smartphone and tablet's "tilt" and "swipe" motion sensor data -- which cannot be blocked -- can be used to track your movements and even determine your passwords.
Smartphone accelerometers -- the gadget that helps your phone determine which way is up or down and how the screen should be oriented -- emit a unique data “fingerprint” that can allow your phone to be tracked. Even if all other privacy settings are locked down, the phone still shares this data with hungry apps or hackers, according to the MIT Technology Review.
Tiny hardware imperfections in smartphone and tablet accelerometers lead to these unique “fingerprints” within the data they produce, Romit Roy Choudhury revealed. The University of Illinois associate professor investigated the phenomenon with colleagues at the University of South Carolina.
“There has been a lot of work to catch the leakage of ID information from phones,” Choudhury reveals in their paper. “We are now saying that accelerometer data going out of the phone can be treated as an ID.”
From the MIT Technology Review:
"Even if you don’t allow apps to see your personal data or location, just the raw movements of the phone—which can be measured without permission—can betray the phone’s unique identity and track it over time ... Indeed, earlier research had shown that accelerometer data can also be used to infer passwords based on the taps people make on their phones."
Accelerometers use a technology called micro-electro-mechanical systems, or MEMS. Tiny metal bars move between other metal bars in response to motion, and the changes in those capacitors indicate 3-D movement. Using this information, a smartphone processor can determine a necessary change in screen orientation, or translate physical movements to a character in a game.
But the underlying data from those motions and movements varies ever so slightly from phone to phone, and accelerometer to accelerometer, the researchers found. After testing 80 accelerometer chips -- 25 Android phones and two tablets that used accelerometers -- the researchers could pick out the specific user "fingerprint" with 96 percent accuracy.
Every smartphone contains these accelerometers, and applications ranging from your children's games to pedometers get free use of that information.
[sharequote align="center"]Accelerometer data going out of the phone can be treated as an ID.[/sharequote]
Many of these apps rely on advertising dollars, and this tracking data is one more way advertisers can track users and their Web habits. By blocking cookies most users can avoid being tracked by that data, but this new accelerometer-watching technique provides “cookie-less methods to identify devices” - and the researchers have not found a way to fix it, SC Magazine reported.
“An accelerometer fingerprint can serve as an electronic cookie, empowering an adversary to consolidate data per user, and track them over space and time," the research team states in their paper. "Alarmingly, such a cookie is hard to erase, unless the accelerometer wears out to the degree that its fingerprint becomes inconsistent. We have not noticed any evidence of this in the nine months of experimentation with 107 accelerometers.”
In case you are wondering, your computer isn't immune to this kind of tracking, either.
Instead of reading data from an accelerometer, a website can look at the characteristics of a computer such as what plug-ins and software you have installed, the size of the screen, the time zone, fonts and other features of any particular machine, giving that laptop or desktop a distinct signature. The Electronic Frontier Foundation found that 94 percent of Flash or Java browsers – which enable key features in Internet browsing – had unique, fingerprint-like identities, Forbes reports.
So what do you think? Should the tracking of this accelerometer data be outlawed like the tracking of cookie data?
(H/T: SC Magazine)
Follow Elizabeth Kreft (@elizabethakreft) on Twitter.